Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 54ed772e authored by Vikash Garodia's avatar Vikash Garodia Committed by Gerrit - the friendly Code Review server
Browse files

msm: vidc_3x: Ensure validity of shared Q indices 



Video driver and firmware communicates over shared queue.
The queue header has the indices which synchronizes the read
and write between the driver and firmware modules.
This change ensures that the indices are within the valid
range before accessing them.

CRs-fixed: 2345481
Change-Id: I8b49383920c86d09c9456b9790015f7473e87d03
Signed-off-by: default avatarVikash Garodia <vgarodia@codeaurora.org>
parent 20714a8f

drivers/media/platform/msm/vidc_3x/venus_hfi.c

+43 −24
Original line number Diff line number Diff line 
/* Copyright (c) 2012-2016, 2018 The Linux Foundation. All rights reserved.

/* Copyright (c) 2012-2016, 2018-2019 The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -330,7 +330,7 @@ static int __write_queue(struct vidc_iface_q_info *qinfo, u8 *packet, 
{

	struct hfi_queue_header *queue;

	u32 packet_size_in_words, new_write_idx;

	u32 empty_space, read_idx;

	u32 empty_space, read_idx, write_idx;

	u32 *write_ptr;



	if (!qinfo || !packet) {
@@ -353,16 +353,18 @@ static int __write_queue(struct vidc_iface_q_info *qinfo, u8 *packet, 
	}



	packet_size_in_words = (*(u32 *)packet) >> 2;

	if (!packet_size_in_words) {

		dprintk(VIDC_ERR, "Zero packet size\n");

	if (!packet_size_in_words || packet_size_in_words >

		qinfo->q_array.mem_size>>2) {

		dprintk(VIDC_ERR, "Invalid packet size\n");

		return -ENODATA;

	}



	read_idx = queue->qhdr_read_idx;

	write_idx = queue->qhdr_write_idx;



	empty_space = (queue->qhdr_write_idx >=  read_idx) ?

		(queue->qhdr_q_size - (queue->qhdr_write_idx -  read_idx)) :

		(read_idx - queue->qhdr_write_idx);

	empty_space = (write_idx >=  read_idx) ?

		((qinfo->q_array.mem_size>>2) - (write_idx -  read_idx)) :

		(read_idx - write_idx);

	if (empty_space <= packet_size_in_words) {

		queue->qhdr_tx_req =  1;

		dprintk(VIDC_ERR, "Insufficient size (%d) to write (%d)\n",
@@ -372,13 +374,20 @@ static int __write_queue(struct vidc_iface_q_info *qinfo, u8 *packet, 


	queue->qhdr_tx_req =  0;



	new_write_idx = (queue->qhdr_write_idx + packet_size_in_words);

	new_write_idx = write_idx + packet_size_in_words;

	write_ptr = (u32 *)((qinfo->q_array.align_virtual_addr) +

		(queue->qhdr_write_idx << 2));

	if (new_write_idx < queue->qhdr_q_size) {

			(write_idx << 2));

	if (write_ptr < (u32 *)qinfo->q_array.align_virtual_addr ||

	    write_ptr > (u32 *)(qinfo->q_array.align_virtual_addr +

	    qinfo->q_array.mem_size)) {

		dprintk(VIDC_ERR, "Invalid write index");

		return -ENODATA;

	}



	if (new_write_idx < (qinfo->q_array.mem_size >> 2)) {

		memcpy(write_ptr, packet, packet_size_in_words << 2);

	} else {

		new_write_idx -= queue->qhdr_q_size;

		new_write_idx -= qinfo->q_array.mem_size >> 2;

		memcpy(write_ptr, packet, (packet_size_in_words -

			new_write_idx) << 2);

		memcpy((void *)qinfo->q_array.align_virtual_addr,
@@ -472,6 +481,7 @@ static int __read_queue(struct vidc_iface_q_info *qinfo, u8 *packet, 
	u32 packet_size_in_words, new_read_idx;

	u32 *read_ptr;

	u32 receive_request = 0;

	u32 read_idx, write_idx;

	int rc = 0;



	if (!qinfo || !packet || !pb_tx_req_is_set) {
@@ -504,7 +514,10 @@ static int __read_queue(struct vidc_iface_q_info *qinfo, u8 *packet, 
	if (queue->qhdr_type & HFI_Q_ID_CTRL_TO_HOST_MSG_Q)

		receive_request = 1;



	if (queue->qhdr_read_idx == queue->qhdr_write_idx) {

	read_idx = queue->qhdr_read_idx;

	write_idx = queue->qhdr_write_idx;



	if (read_idx == write_idx) {

		queue->qhdr_rx_req = receive_request;

		*pb_tx_req_is_set = 0;

		dprintk(VIDC_DBG,
@@ -516,21 +529,28 @@ static int __read_queue(struct vidc_iface_q_info *qinfo, u8 *packet, 
	}



	read_ptr = (u32 *)((qinfo->q_array.align_virtual_addr) +

				(queue->qhdr_read_idx << 2));

				(read_idx << 2));

	if (read_ptr < (u32 *)qinfo->q_array.align_virtual_addr ||

	    read_ptr > (u32 *)(qinfo->q_array.align_virtual_addr +

	    qinfo->q_array.mem_size - sizeof(*read_ptr))) {

		dprintk(VIDC_ERR, "Invalid read index\n");

		return -ENODATA;

	}



	packet_size_in_words = (*read_ptr) >> 2;

	if (!packet_size_in_words) {

		dprintk(VIDC_ERR, "Zero packet size\n");

		return -ENODATA;

	}



	new_read_idx = queue->qhdr_read_idx + packet_size_in_words;

	if (((packet_size_in_words << 2) <= VIDC_IFACEQ_VAR_HUGE_PKT_SIZE)

			&& queue->qhdr_read_idx <= queue->qhdr_q_size) {

		if (new_read_idx < queue->qhdr_q_size) {

	new_read_idx = read_idx + packet_size_in_words;

	if (((packet_size_in_words << 2) <= VIDC_IFACEQ_VAR_HUGE_PKT_SIZE) &&

		read_idx <= (qinfo->q_array.mem_size >> 2)) {

		if (new_read_idx < (qinfo->q_array.mem_size >> 2)) {

			memcpy(packet, read_ptr,

					packet_size_in_words << 2);

		} else {

			new_read_idx -= queue->qhdr_q_size;

			new_read_idx -= (qinfo->q_array.mem_size >> 2);

			memcpy(packet, read_ptr,

			(packet_size_in_words - new_read_idx) << 2);

			memcpy(packet + ((packet_size_in_words -
@@ -541,19 +561,18 @@ static int __read_queue(struct vidc_iface_q_info *qinfo, u8 *packet, 
	} else {

		dprintk(VIDC_WARN,

			"BAD packet received, read_idx: %#x, pkt_size: %d\n",

			queue->qhdr_read_idx, packet_size_in_words << 2);

			read_idx, packet_size_in_words << 2);

		dprintk(VIDC_WARN, "Dropping this packet\n");

		new_read_idx = queue->qhdr_write_idx;

		new_read_idx = write_idx;

		rc = -ENODATA;

	}



	queue->qhdr_read_idx = new_read_idx;



	if (queue->qhdr_read_idx != queue->qhdr_write_idx)

	if (new_read_idx != write_idx)

		queue->qhdr_rx_req = 0;

	else

		queue->qhdr_rx_req = receive_request;



	queue->qhdr_read_idx = new_read_idx;

	*pb_tx_req_is_set = (queue->qhdr_tx_req == 1) ? 1 : 0;



	if (msm_vidc_debug & VIDC_PKT) {